Frequently Asked Questions on e-Cert
- HONGKONG POST CA
- PUBLIC KEY INFRASTRUCTURE (PKI)
- HONGKONG POST E-CERT SERVICES
- SUBMISSION OF CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER)
- CENTRAL KEY GENERATION SERVICE FOR E-CERT
- TECHNICAL ISSUES
- REVOCATION OF CERTIFICATES
- DELETION AND RECOVERY ISSUES
- BACK-UP AND TRANSFER OF CERTIFICATE
- E-CERT FOR SMART ID CARD / SMART CARD READER
- RENEWAL OF E-CERT (PERSONAL)
- E-CERT FILE CARD
- E-CERT FILE USB
- E-CERT (SERVER)
- WHY SHOULD I CHOOSE HONGKONG POST CA AS MY CERTIFICATION AUTHORITY?
- ARE THERE LAWS IN HONG KONG REGULATING DIGITAL SIGNATURES?
- WHAT IS THE MEANING OF "RELIANCE LIMIT" FOR THE E-CERT CERTIFICATE?
- RETIREMENT OF SUPERSEDED CERTIFICATION AUTHORITY SYSTEM
- HONGKONG POST CERTIFICATION AUTHORITY SUB CA ROLLOVER ON 26 FEBRUARY 2010
- WHAT WILL BE THE IMPACTS TO E-CERT SUBSCRIBERS AS A RESULT OF THE SUB CA ROLLOVER ON 26 FEBRUARY 2010?
- EXPIRY OF SUB CA "HONGKONG POST E-CERT CA 1"
- WHAT IS ENCRYPTION ?
- WHAT IS PUBLIC KEY CRYPTOGRAPHY AND HOW DOES IT WORK?
- WHAT IS A CERTIFICATION AUTHORITY (CA)?
- WHAT IS A DIGITAL CERTIFICATE?
- WHAT IS THE HONGKONG POST E-CERT CERTIFICATE?
- WHAT IS A DIGITAL SIGNATURE AND HOW DOES IT WORK?
- WHAT IS HASH FUNCTION/VALUE?
- WHAT IS S/MIME ?
- WHY IS/ARE THERE AN S/MIME .P7M AND/OR S/MIME .P7S ATTACHMENT TO MY E-MAIL?
- WHAT IS A SECURE SOCKET LAYER (SSL)?
- HOW DO I SEND A SIGNED AND ENCRYPTED E-MAIL ?
- HOW CAN I OBTAIN SOMEONE ELSE'S DIGITAL CERTIFICATE (WITH PUBLIC KEY EMBEDDED) IN ORDER TO SEND HIM/HER AN ENCRYPTED E-MAIL?
- HOW DO I READ THE ENCRYPTED E-MAILS I RECEIVE?
- HOW DO I VERIFY THE DIGITAL SIGNATURES ON SIGNED MESSAGES I RECEIVE?
- HOW DO I KNOW IF THE E-MAIL I HAVE RECEIVED IS SIGNED OR ENCRYPTED?
- CAN I SEND SECURE E-MAIL TO SOMEONE WHO DOES NOT HAVE A DIGITAL CERTIFICATE?
- DOES HONGKONG POST E-CERT SUPPORT CHINESE CHARACTERS?
- DOES HONGKONG POST E-CERT SUPPORT ELLIPTIC CURVE CRYPTOSYSTEM (ECC)?
- DOES HONGKONG POST E-CERT SUPPORT OBJECT SIGNING AND AUTHENTICODE?
- WHAT IS THE KEY LENGTH OF HONGKONG POST E-CERT (SERVER)?
- CAN HONGKONG POST E-CERT CERTIFICATES BE USED INTERNATIONALLY?
- CAN I USE MY E-CERT WITH HOTMAIL OR OTHER SIMILAR E-MAIL SERVICES ?
- WHAT HAPPENS AFTER MY HONGKONG POST E-CERT CERTIFICATE EXPIRES?
- HOW MANY HONGKONG POST E-CERT CERTIFICATES CAN I APPLY FOR?
- HOW MUCH DOES A HONGKONG POST E-CERT CERTIFICATE COST?
- FOR HOW LONG ARE HONGKONG POST E-CERT CERTIFICATES VALID?
- CAN I CHANGE THE INFORMATION ON A CERTIFICATE?
- WHAT ARE THE KEY LENGTHS SUPPORTED BY HONGKONG POST CA?
- WHY DOES MY BROWSER FIRST HAVE TO ACCEPT THE HONGKONG POST ROOT CA CERTIFICATE?
- WHERE DO I DOWNLOAD THE PUBLIC KEY OF THE HONGKONG POST ROOT CA CERTIFICATE, AND HOW DO I INSTALL IT IN THE BROWSER?
- HOW DO I RETRIEVE A LOST OR ACCIDENTALLY DELETED E-CERT?
- WHY IS IT IMPORTANT TO MAKE A BACK-UP COPY OF MY HONGKONG POST E-CERT CERTIFICATE?
- CAN I USE ONE HONGKONG POST E-CERT CERTIFICATE FOR MULTIPLE E-MAIL ADDRESSES?
- WHAT ARE THE AUTHENTICATION PROCEDURES FOR HONGKONG POST E-CERT CERTIFICATES?
- WHY IS HONGKONG POST ISSUING DIGITAL CERTIFICATES TO MINORS?
- CAN I SEARCH HONGKONG POST E-CERT (ENCIPHERMENT) CERTIFICATE FROM THE HONGKONG POST DIRECTORY SERVER ?
- WHERE I CAN FIND THE TERMS AND CONDITIONS GOVERNING THE USE OF HONGKONG POST E-CERT CERTIFICATES?
- HOW TO SEARCH IN NETSCAPE THE CERTIFICATE OF OTHER PEOPLE WHO HAS TWO OR MORE E-CERT WITH THE SAME EMAIL ADDRESS?
- WHY MUST AN APPLICANT FOR E-CERT COMPLETE THE IDENTITY VERIFICATION PROCESS IN PERSON AT A POST OFFICE?
- CAN AN APPLICANT VISIT A POST OFFICE DURING LUNCH BREAK, OVER WEEKEND OR ON SUNDAY TO COMPLETE THE APPLICATION PROCESS?
- IF AN APPLICANT HAS QUESTIONS OF INSTALLING AN E-CERT, HOW CAN HE/SHE SEEK HELP?
- IS IT A PROPER ARRANGEMENT FOR HONGKONG POST TO DELIVER THE E-CERT STORAGE MEDIUM TO AN APPLICANT BY POST?
- CAN AN E-CERT BE USED ON COMPUTERS RUNNING LINUX OR MAC OPERATING SYSTEMS?
- WHAT ARE THE DIFFERENCES IN CERTIFICATE FEATURES BETWEEN E-CERT (ORGANISATIONAL ROLE) AND E-CERT (ORGANISATIONAL)?
- IS E-CERT (ORGANISATIONAL ROLE) OR E-CERT (ORGANISATIONAL) SUITABLE FOR USE IN MY ORGANISATION?
- WHAT IS THE DIFFERENCE IN APPLICATION PROCEDURE BETWEEN E-CERT (ORGANISATIONAL ROLE) AND E-CERT (ORGANISATIONAL)?
- WHY PRIOR ARRANGEMENT IS REQUIRED FOR THE OFFER OF E-CERT (ORGANISATIONAL ROLE) CERTIFICATES FROM HONGKONG POST CERTIFICATION AUTHORITY?
- WHAT IS A CERTIFICATE SIGNING REQUEST (CSR)?
- HOW DO I GENERATE A CERTIFICATE SIGNING REQUEST (CSR)?
- WHAT SHOULD I PASTE INTO THE CERTIFICATE SIGNING REQUEST (CSR) TEXT BOX DURING THE E-CERT (SERVER) CSR SUBMISSION PROCESS?
- WHAT SHOULD I DO IF I DID NOT DOWNLOAD MY E-CERT (SERVER) IN THE LAST STEP OF THE CERTIFICATE SIGNING REQUEST (CSR) SUBMISSION PROCESS?
- WHAT IS CENTRAL KEY GENERATION SERVICE AND HOW DOES IT WORK?
- IS CENTRAL KEY GENERATION SERVICE APPLICABLE TO ALL TYPES OF E-CERT?
- ARE THERE ANY PROTECTIVE MEASURES TO SAFEGUARD THE PRIVATE KEY OF THE E-CERT CREATED UNDER THE CENTRAL KEY GENERATION SERVICE?
- WHICH VERSIONS OF INTERNET BROWSER CAN THE E-CERT FILE GENERATED UNDER THE CENTRAL KEY GENERATION SERVICE WORK WITH?
- IS THERE ANY TOOL OR PROGRAM THAT CAN BE USED TO CHANGE THE PASSWORD OF THE E-CERT FILE?
- IS THERE ANY RESTRICTION IN USING THE "CHANGE PASSWORD PROGRAM" SOFTWARE?
- HOW DOES THE "CHANGE PASSWORD PROGRAM" WORK?
- SYSTEM REQUIREMENTS
- HOW DO I KNOW THAT MY HONGKONG POST E-CERT CERTIFICATE IS PROPERLY INSTALLED?
- WHAT SHOULD I DO IF MY PIN DOES NOT APPEAR TO WORK?
- WHY I AM GETTING AN 'EXPIRED CERTIFICATE' MESSAGE SHORTLY AFTER DOWNLOADING IT?
- I HAVE DELETED MY NETSCAPE NAVIGATOR AND INSTALLED THE LATEST VERSION. HOW DO I REINSTALL MY DIGITAL CERTIFICATE?
- HOW DO I KNOW I AM CONNECTED TO A SECURE SERVER ?
- HOW DO I GET 128-BIT / FULL-STRENGTH SESSIONS?
- WHAT DOMAIN NAME DO I USE ON MY SERVER CERTIFICATE REQUEST?
- WHICH FIELD INSIDE THE E-CERT (ENCIPHERMENT) CERTIFICATE CONTROLS THE USAGE PURPOSE OF THE KEY PAIR?
- THE KEY PAIR OF THE E-CERT (ENCIPHERMENT) WILL BE USED FOR ENCRYPTION AND DECRYPTION OF ELECTRONIC RECORDS. HOW DOES THIS KEY PAIR WORK?
- USING E-CERT IN THE CRYPTO TOOLS SOFTWARE
- HOW DO I REVOKE MY HONGKONG POST E-CERT CERTIFICATE?
- WHY DO I NEED TO REVOKE MY CERTIFICATE BEFORE IT EXPIRES?
- HOW CAN I VERIFY THE STATUS OF MY REVOKED CERTIFICATE?
- IS THERE ANY WAY TO RECOVER MY HONGKONG POST E-CERT CERTIFICATE IF MY HARD DRIVE HAS CRASHED?
- WHAT SHOULD I DO IF MY COMPUTER HAS BEEN STOLEN TOGETHER WITH MY CERTIFICATE?
- SHOULD I DELETE MY EXPIRED OR REVOKED E-CERT?
- HOW DO I SAVE A BACK-UP COPY OF MY DIGITAL CERTIFICATE?
- HOW DO I TRANSFER MY DIGITAL CERTIFICATE TO A NEW COMPUTER?
- WHAT TYPES OF SMART CARD READER CAN SUPPORT THE USAGE OF E-CERT ON SMART ID CARD?
- WHERE CAN I BUY THESE SMART CARD READERS?
- HOW TO INSTALL THE SMART CARD READER INTO MY COMPUTER?
- WOULD THE SMART CARD READER SCRATCH THE SIM ON MY SMART ID CARD?
- WHAT IS THE MINIMUM REQUIREMENT OF MY PC TO INSTALL A SMART CARD READER?
- WHAT IF THE CHIP OF MY SMART ID CARD SCRATCHED? WOULD THE E-CERT INSIDE MY SMART ID CARD BE AFFECTED?
- WHAT IF MY SMART ID CARD IS DAMAGED AND MY E-CERT CANNOT BE ACCESSED?
ON SMART ID CARD
- HOW MANY E-CERTS CAN BE STORED IN A SMART ID CARD?
- WHAT SHOULD I DO IF I ACCIDENTALLY DELETED E-CERT FROM MY SMART ID CARD?
- WHERE CAN I CHECK THE INFORMATION OF THE E-CERT ON MY SMART ID CARD IF I DO NOT HAVE SMART CARD READER AT HOME?
- FOR HOW LONG IS THE HONGKONG POST E-CERT ON SMART ID CARD VALID?
- IF THE E-CERT ON SMART ID CARD IS EXPIRED, HOW CAN I DECRYPT EMAILS ENCRYPTED WITH MY EXPIRED E-CERT?
- HOW CAN I DELETE THE E-CERT ON MY SMART ID CARD?
- PIN ENVELOPE
- E-CERT BACKUP SERVICE
- PRIVACY OF E-CERT INFORMATION ON THE SMART ID CARD
- WHAT IS E-CERT CONTROL MANAGER ADD-ON PACK, AND DO I NEED TO INSTALL IT?
- WHERE CAN I OBTAIN E-CERT CONTROL MANAGER ADD-ON PACK?
- HOW DO I KNOW THAT E-CERT CONTROL MANAGER ADD-ON PACK IS INSTALLED?
- WILL E-CERT CONTROL MANAGER SUPPORT NETSCAPE NAVIGATOR VERSION 9 OR ABOVE?
- WHY I STILL CANNOT USE E-CERT ON SMART ID CARD IN CERTAIN ONLINE SERVICES THROUGH INTERNET EXPLORER ON WINDOWS VISTA EVEN I HAVE INSTALLED E-CERT CONTROL MANAGER FOR WINDOWS VISTA?
- WHAT SHOULD I DO IF I ENCOUNTER ERROR MESSAGES DURING THE INSTALLATION OF E-CERT CONTROL MANAGER?
- WHAT ARE THE IMPACTS TO SUBSCRIBERS USING E-CERT ON SMART ID CARD AFTER SUB CA ROLLOVER ON 26 FEBRUARY 2010?
- WHY I CANNOT USE E-CERT ON SMART ID CARD IN CERTAIN ONLINE SERVICES OR APPLICATION PROGRAMS IF I AM USING 64-BIT VERSION OF WINDOWS?
- WHICH APPLICATIONS ARE SUPPORTED BY THE LATEST VERSION OF E-CERT CONTROL MANAGER?
- WHY I CANNOT USE E-CERT ON SMART ID CARD IN CERTAIN ONLINE SERVICES THROUGH INTERNET EXPLORER IN THE WINDOWS UI EVEN I HAVE INSTALLED E-CERT CONTROL MANAGER?
- WHY SUBSCRIBERS OF E-CERT ON SMART ID CARD HAVE NOT RECEIVED THE RENEWAL NOTICE UPON THE EXPIRY OF E-CERT?
- WHAT IS THE DIFFERENCE BETWEEN "EXTENSION OF SUBSCRIPTION PERIOD" AND "RENEWAL"?
- HOW CAN SUBSCRIBERS RENEW THEIR E-CERT?
- WHAT IS THE VALIDITY PERIOD OF THE RENEWED E-CERT (PERSONAL)? WHAT IS THE RENEWAL FEE?
- CAN I PAY HK$150 FOR 3-YR SUBSCRIPTION FEES IN ONE GO?
- WHEN SUBMITTING A RENEWAL APPLICATION, WILL THE SUBSCRIBERS OF E-CERT (PERSONAL) BE ISSUED A NEW PIN ENVELOPE?
- UPON RECEIPT OF THE NEW PIN ENVELOPE AND E-CERT STORAGE MEDIUM FOR THE RENEWED E-CERT ON SMART ID CARD, CAN THE SUBSCRIBER THROW AWAY THE OLD PIN ENVELOPE AND E-CERT STORAGE MEDIUM?
- I HAVE EMBEDDED MY E-CERT ONTO SMART ID CARD PREVIOUSLY. NOW, CAN I RENEW MY E-CERT (PERSONAL) WITHOUT EMBEDDING ONTO SMART ID CARD?
- CAN THE RENEWED E-CERT BE STORED TOGETHER WITH THE EXISTING E-CERT THAT WAS STORED IN THE SMART ID CARD?
- I HAVE TWO E-CERT ON HAND BUT ONLY THE SMART ID CARD ONE WAS EXPIRED. CAN I LOAD THE OTHER E-CERT (PERSONAL) FROME-CERT STORAGE MEDIUM ONTO MY SMART ID CARD BY MYSELF?
- WHAT ARE THE CHANNELS FOR ENQUIRY?
- WHAT IS E-CERT FILE CARD?
- WHAT IS THE DIFFERENCE BETWEEN E-CERT FILE CARD AND FLOPPY DISKETTE?
- WHAT IS THE DIFFERENCE BETWEEN E-CERT FILE CARD AND SMART ID CARD?
- WHAT ARE THE MAJOR BENEFITS OF AN E-CERT FILE CARD?
- DO I NEED TO PAY FOR THE E-CERT FILE CARD?
- IN TERM OF PROTECTION ON THE E-CERT, WHAT IS THE DIFFERENCE BETWEEN SMART ID CARD AND E-CERT FILE CARD?
ON E-CERT FILE CARD
- HOW CAN I USE MY E-CERT FROM E-CERT FILE CARD?
- CAN I CHANGE THE E-CERT PASSWORD ON THE E-CERT FILE CARD?
- HOW CAN I LOAD THE E-CERT ON E-CERT FILE CARD TO MY SMART ID CARD?
- CAN I DELETE THE E-CERT FROM THE E-CERT FILE CARD?
- IF THE E-CERT IS ALREADY STORED ON MY PC, CAN I COPY IT BACK TO THE E-CERT FILE CARD?
- MY E-CERT FILE CARD IS DAMAGED AND MY E-CERT CANNOT BE ACCESSED. IF THIS IS THE ONLY COPY OF MY E-CERT, WHAT SHOULD I DO?
- DO I NEED TO KEEP THE E-CERT FILE CARD AFTER I HAVE EXPORTED MY E-CERT?
- WHAT SHOULD I DO IF I FORGOT THE PASSWORD OF MY E-CERT ON THE E-CERT FILE CARD?
- WHAT SHOULD I DO IF I LOST MY E-CERT FILE CARD?
- E-CERT FILE CARD UTILITY PROGRAM
- TECHNICAL REQUIREMENTS ON OPERATING THE E-CERT FILE CARD
- E-CERT FILE CARD APPLICATION PROCEDURES
- WHAT IS E-CERT FILE USB?
- WHAT IS THE MAJOR ADVANTAGE OF E-CERT FILE USB?
- DO I NEED TO PAY FOR THE E-CERT FILE USB?
- WHEN WAS THE FLOPPY DISKETTE BE CEASAED AS E-CERT STORAGE MEDIUM IN THE NEAR FUTURE?
- DUE TO THE SECURITY POLICY, THE USB PORTS OF COMPUTERS IN MY OFFICE ARE DISABLED. HOW CAN I READ MY E-CERT FROM E-CERT FILE USB?
- WHAT IS THE DIFFERENCE BETWEEN E-CERT FILE USB AND E-CERT FILE CARD?
- I HAVE NOT CHOSEN E-CERT FILE USB WHEN I APPLY FOR E-CERT. CAN I CHOOSE TO BUY IT AFTER RECEIVING MY E-CERT?
- WHEN APPLYING FOR E-CERT (SERVER), WHICH OPTION SHOULD I CHOOSE?
- WHEN APPLYING FOR AN E-CERT (SERVER), WHAT ARE THE RESTRICTIONS IN THE SERVER NAMES?
- WHAT ARE THE ADVANTAGES OF E-CERT (SERVER) WITH "WILDCARD" FEATURE AND "MULTI-DOMAIN" FEATURE?
- HOW TO SUBMIT CERTIFICATE SIGNING REQUEST (CSR) FOR E-CERT (SERVER) WITH "WILDCARD" FEATURE AND "MULTI-DOMAIN" FEATURE? IS THERE ANY DIFFERENCE IN THE PROCEDURES COMPARED WITH THE PROCEDURES IN SUBMISSION OF CSR FOR AN E-CERT (SERVER)?
- E-CERT (SERVER) WITH "WILDCARD" FEATURE OR "MULTI-DOMAIN" FEATURE MAY BE USED IN MULTIPLE SERVERS. THEN, HOW MANY CERTIFICATES WILL BE ISSUED TO THE SUBSCRIBER?
- CAN I APPLY FOR AN E-CERT (SERVER) WITH BOTH "MULTI-DOMAIN" FEATURE & "WILDCARD" FEATURE IN ONE CERTIFICATE?
- IN "SEARCH AND DOWNLOAD E-CERT (SERVER)" FUNCTION, WHICH SERVER NAME SHOULD BE USED TO SEARCH AND DOWNLOAD THE E-CERT (SERVER) WITH "WILDCARD" FEATURE OR "MULTI-DOMAIN" FEATURE?
- CAN I USE IP ADDRESS INSTEAD OF SERVER NAME?
- HOW TO COUNT "ADDITIONAL SERVERS" FOR E-CERT (SERVER) WITH "WILDCARD" FEATURE?
- AS THE NUMBER OF ADDITIONAL SERVERS IS SPECIFIED IN THE APPLICATION FOR E-CERT (SERVER) WITH "WILDCARD" FEATURE, WHAT SHOULD BE DONE IF THE NUMBER OF ADDITIONAL SERVERS CHANGES AFTER THE CERTIFICATE IS ISSUED ?
- CAN I APPLY FOR AN E-CERT (SERVER) WITH "WILDCARD" FEATURE WITH A SERVER NAME CONTAINING MORE THAN ONE WILDCARD CHARACTER ("*")?
- HOW TO APPLY FOR AN E-CERT (SERVER) FOR ONE SERVER NAME WITH "DIGITAL SIGNATURE" KEY USAGE ?
- CAN I ADD/REMOVE/ALTER THE SERVER NAME AFTER AN E-CERT (SERVER) WITH "MULTI-DOMAIN" FEATURE IS ISSUED?
- CAN I REVOKE SOME BUT NOT ALL SERVER NAMES IN AN E-CERT (SERVER) WITH "MULTI-DOMAIN"FEATURE ?
A. Hongkong Post CA
Hongkong Post Certification Authority is a recognised Certification Authority under the Electronic Transactions Ordinance, CAP 553. The Hongkong Post e-Cert certificates are recognised certificates issued by the Postmaster General of the Hong Kong Post Office in accordance with the requirements of the Electronic Transactions Ordinance and Code of Practice for Recognised Certification Authority. In addition, Hongkong Post CA conducts a strict authentication process for the verification of the identity of the subscribers providing the infrastructure for secure e-commerce. Details of authentication procedures are available from the Hongkong Post Certification Practice Statement (CPS) at www.hongkongpost.gov.hk
Yes, the Electronic Transactions Ordinance (Cap 553), was first enacted in January 2000 and amended in July 2004. The Ordinance is available for viewing at http://www.ogcio.gov.hk/en/regulation/eto/index.htm.
Reliance Limit means the monetary limit specified for reliance on a recognised certificate. The relevant sections of the Electronic Transactions Ordinance are Sections 41 and 42.
In January 2004, Hongkong Post completed the Certification Authority (CA) system upgrade exercise, and the functions of the original CA system (OCA) operating under the OCA roots "Hongkong Post Root CA" and "Hongkong Post e-Cert CA" were taken over by the new CA system (NCA) operating under three NCA roots "Hongkong Post Root CA 1", "Hongkong Post e-Cert CA 1" and "Hongkong Post e-Cert CA 1 - 10".
Since 1 February 2004, the NCA has been issuing types of recognized certificates and the OCA has ceased to issue recognized certificates. As all recognized certificates issued by the OCA have a validity period of one year, all such certificates have expired by 1 February 2005, and therefore no recognized certificates issued by the OCA are still valid at present.
On 1 April 2005, the OCA retired and ceased to issue CRLs under the OCA roots "Hongkong Post Root CA" and "Hongkong Post e-Cert CA". The last CRL of the OCA was issued on 31 March 2005.
The retirement of the OCA does not affect the existing operation (including the publication of CRLs) of the NCA and services of the Hongkong Post Certification Authority. All recognized certificates and CRLs issued under both the OCA and NCA are still accessible at the existing repository.
The Sub CA "Hongkong Post e-Cert CA 1" that has been used to sign the Recognized Certificates since June 2003 expired on 15 May 2013. In order to continue issuing Recognized Certificates with the maximum validity period of 3 years before the expiry of the Sub CA “Hongkong Post e-Cert CA 1”, Hongkong Post completed the Sub CA "Hongkong Post e-Cert CA 1" Rollover on 26 February 2010.
With the completion of Sub CA rollover, the Sub CA "Hongkong Post e-Cert CA 1" ceased to issue Recognized Certificates. The Sub CA "Hongkong Post e-Cert CA 1 - 10" is used to issue Recognized Certificates and to perform revocation of certificates issued by it since 26 February 2010. The e-Cert subscription and revocation procedures remain unchanged after the Sub CA rollover.
With the expiry of the Sub CA “Hongkong Post e-Cert CA 1” on 15 May 2013, its last CRLs were issued at 14:15 on the same day.
For more information, please refer to the related announcement of the Sub CA Rollover.
Subscribers with Recognized Certificates issued after the Sub CA rollover may need to install the new Sub CA "Hongkong Post e-Cert CA 1 - 10" to their applications, such as web browser or web server, to recognize the new Sub CA.
The e-Cert Control Manager ("eCM") software (version 2.1.8 Build 7 or above) is released to support both the Sub CA "Hongkong Post e-Cert CA 1" and "Hongkong Post e-Cert CA 1 - 10". Subscribers with e-Cert (Personal) issued by the new Sub CA have to install or upgrade to this latest version of eCM in order to continue using their e-Cert on Smart ID Card.
For more information, please refer to the related announcement of the Sub CA Rollover.
The Sub CA "Hongkong Post e-Cert CA 1" has been used to issue e-Cert and Bank-Cert in the following periods:
- e-Cert (Personal) issued between 23 June 2003 and 25 February 2010
- e-Cert (Organisational), e-Cert (Encipherment), e-Cert (Server), Bank-Cert (Personal) and Bank-Cert (Corporate) issued between 12 January 2004 and 25 February 2010.
The Sub CA "Hongkong Post e-Cert CA 1" has ceased to issue any recognized certificates since 26 February 2010 and expired on 15 May 2013.
The last full Certificate Revocation List (CRL) and partitioned CRLs were issued by Sub CA "Hongkong Post e-Cert CA 1" at 14:15 on 15 May 2013 (Hong Kong Time) and with no further updates afterwards. The previously generated CRLs are still available for reference.
Except for the cessation of update of CRLs issued by the Sub CA "Hongkong Post e-Cert CA 1", all other services of Hongkong Post Certification Authority remain unchanged upon the expiry of the Sub CA "Hongkong Post e-Cert CA 1".
For more information, please refer to the related announcement of the Sub CA Expiry.
B. Public Key Infrastructure (PKI)
The concept of encryption is simple: a message is converted from the original (plain text) into another, incomprehensible form (cipher text) by means of a specified procedure (algorithm) and a key. The same key can then be used to decrypt the message to its original form. Knowledge of the encryption key is necessary to carry out decryption. With the encryption techniques in use today, the security of the system is critically dependent on the length of the key used for the encryption. As encryption algorithms are publicly available, it is through the complexity (i.e., its length) and the secrecy of the key that the strength of the encryption can be assured.
Public Key Cryptography or Asymmetric Cryptography forms the basis of digital signatures and Public Key Infrastructure. This technique makes use of a pair of mathematically related, but different keys - a private key and a public key. The private key is kept secret and is only accessible to its owner; the public key is intended for wide distribution. If one key is used to encrypt a message, then only the other key in the pair can be used to decrypt it. The public key can be used to verify a message signed with the private key, or to encrypt messages that can only be decrypted using the private key.
A Certification Authority (CA) is an organisation that issues independently authenticated digital certificates for use by individuals or organisations.
A digital certificate is an electronic file issued and digitally signed by a Certification Authority, vouching for the identity of the certificate holder.
The Hongkong Post e-Cert certificate is a digital certificate that is issued, signed and managed by Hongkong Post Certification Authority (CA) and is X.509 v.3 compliant. Hongkong Post CA offers three different types of digital certificates:
- Hongkong Post e-Cert (Personal) Certificates: these are used in browsers and e-mail programmes so that users can prove their identity to third parties;
- Hongkong Post e-Cert (Organisational) Certificates: these are used by organisations, associations or Government departments which wantto issue an organisation-based certificate to their members/employees to conduct secure message transmission; and
- Hongkong Post e-Cert (Server) Certificates: these are to authenticate servers to users, thereby making it possible to communicate in Secure Socket Layer (SSL) messages.
- Hongkong Post e-Cert (Encipherment) Certificates : there are used for encryption and decryption of message for confidentiality purpose only. This type of certificate is not to be used for message signing like e-Cert (Personal) and e-Cert (Organisational).
A digital signature is a unique string of bits that is separately generated for each message, 'signed' by the private key of the sender, and appended to the message prior to being forwarded to the intended recipient. By verifying the signature through using the public key of the sender, the receiver will be able to confirm the identity of the sender and be certain that the message has not beenaltered during transmission. In this way, digital signatures provide:
- Authentication : proof of identity of the parties to an electronic transaction;
- Integrity: assurance that the contents of a message have not been tampered with or modified;
- Non-repudiation: proof of agreement to the terms of the transaction and prevention of denial of commitment.
The technique of the hash function is to compute a short digest of a fixed length from any given message that represents the message content. The hash function makes it impossible to revert to the original message and computationally difficult to find any two messages that hash to the same result. MD5 and SHA-1 are common hash algorithms.
S/MIME (Secure/ Multipurpose Internet Mail Extensions) is a de facto standard for sending secure e-mail over the Internet. MIME is the industry standard format for electronic mail, which defines the structure of the message's body. S/MIME adds a secure feature to the MIME standard. E-mail applications that support S/MIME add digital signatures and encryption capabilities to that format. Standardisation of the secured message's format allows users to conduct private and authenticated communications, independent of the e-mail software they use, as long as this software is S/MIME compatible. You and your recipient must have public key certificates and S/MIME compatible e-mail applications in order to send and receive secured e-mail.
S/MIME is the secure e-mail protocol and .p7m contains the encrypted message while .p7s is the digital signature file. If this is received as an attachment, there are 2 possibilities :-
- You may be using a web-based e-mail account. It is suggested that you change your e-mail account to a non web-based account;
- You may be using an e-mail client which is not S/MIME compatible and will not be able to verify the attached signature. It is suggested that you upgrade your e-mail client to the latest version (e.g., Microsoft Outlook 98/2000) or use another S/MIME compatible mail programme (e.g., Microsoft Outlook Express 5 or Netscape Messenger 4.7 or above).
The SSL handshake protocol was developed by Netscape Communications Corporation to provide security and privacy over the Internet. The Protocol supports server and client authentication. The SSL Protocol is application independent, allowing protocols like HTTP (Hyper Text Transfer Protocol), FTP (File Transfer Protocol), and Telnet to be layered on top of it transparently. The SSL Protocol is able to negotiate encryption keys, as well as to authenticate the server before data are exchanged by the higher-levelapplication. The SSL Protocol maintains the security and integrity of the transmission channel by using encryption, authentication and session keys.
For two parties to exchange signed and encrypted e-mail it is necessary that:
- both parties correspond through S/MIME compatible e-mail programmes, AND
- both parties have a digital certificate.
If the above conditions are fulfilled, the sender of a message can sign and encrypt messages with the options to "sign" and/or "encrypt" in his/her mail programme.
To enable you to send an encrypted e-mail,
- you need to ask your recipient to send you a signed e-mail and save the certificate in your address book; or
- find a digital certificate from Hongkong Post's online e-Cert repository (directory) either by name or e-mail address, and then download your recipient's e-Cert.
If an e-mail message has been properly encrypted, i.e., with the public key corresponding to your private key, the encrypted message will be automatically decrypted for you (after you have entered your password for activating your private key) by your S/MIME compatible e-mail application and displayed to you as plain text.
If your sender has included his/her public key certificate in the signed message, the digital signature on the message will be automatically verified by your S/MIME compatible e-mail application. In Netscape Messenger, a security icon saying "Signed" will be shown on the upper right corner of the message.
For Netscape Messenger users: security enhanced messages have an icon in the upper-right corner, indicating that the message has been "signed", "encrypted" or "signed and encrypted".
No, you cannot. In order to encrypt the e-mail message that you want to transmit, you will need to access the public key of the intended recipient. If the recipient is not in possession of a digital certificate, he/she will not have a public key. However, you can digitally sign messages to recipients whose e-mail applications support S/MIME. They will be able to verify your signature on the messages.
C. Hongkong Post e-Cert Services
Currently, the technology adopted by Hongkong Post does not support Chinese characters. Hence, for the present,all Hongkong Post e-Cert certificates will be issued in English only.
ECC is not supported for the time being.
Object signing and authenticode are not supported for the time being.
With effect from 1 December 2012, e-Cert (Server) will be issued only with 2048-bit RSA key length.
Hongkong Post e-Cert certificates are X.509 v3 compliant (an international standard) and can, therefore, be used internationally.
This is not possible. Web-based e-mail services such as Hotmail and Yahoo are not S/MIME compatible. For details, please see heading under S/MIME below.
When a Hongkong Post e-Cert certificate expires, it can no longer be used for secured e-mail. You should re-apply for a new e-Cert certificate.
As many as you like. There is no limit to the number of Hongkong Post e-Cert certificates you can apply for.
|Type of Certificate||Annual Fee (HK$)|
($50 for a first-time subscriber)
(plus an administration fee of $150 per application)
|Server (without “Wildcard” feature and “Multi-domain” feature)||$2,500|
|Server (with “Wildcard” feature)||$8,700 + $500 per Additional Server|
|Server (with “Multi-domain” feature)||$3,000 + $2,500 per Additional Server Name|
Promotional Offer : HK$21 per certificate
(plus an administration fee of $150 per application)
** With effect from 1 April 2012, the annual subscription fee for e-Cert (Encipherment) is discounted from HK$150 to HK$21 per certificate until further notice. For details, please refer to the relevant announcement.
- The validity period of Hongkong Post e-Cert (Personal) is 3 years.
- The validity period of Hongkong Post e-Cert (Organisational), e-Cert (Encipherment) and e-Cert (Server) [without “Wildcard” feature and “Multi-domain” feature] is 1 or 2 years.
- The validity period of Hongkong Post e-Cert (Server) with “Wildcard” feature and e-Cert (Server) with “Multi-domain” feature is 1, 2 or 3 years.
A digital certificate, once generated, cannot be changed. If you have changed any information on the certificate such as your name or your e-mail address, you must apply for a new certificate. You should also revoke your existing certificate.
Hongkong Post CA has issued transition plans for issuance of e-Cert with 2048-bit RSA key length. From 28 June 2012 to 31 December 2013, e-Cert applicants for e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) may request for 2048-bit key length e-Cert in their new e-Cert application or renewal application. If the applicant does not indicate a choice of e-Cert key length on the application, the key length of the e-Cert issued will be 1024 bits. Starting from 1 January 2014, e-Cert will be issued with 2048-bit key length only. For applications requesting for embedding e-Cert (Personal) on Smart ID Card, applicants will only be issued with e-Cert (Personal) with 1024-bit key length. For details, please refer to the announcement on our website at http://www.hongkongpost.gov.hk/news/press/61.html.
With effect from 1 December 2012, e-Cert (Server) will be issued only with 2048-bit RSA key length. For details, please refer to the relevant announcement http://www.hongkongpost.gov.hk/news/press/62.html.
The Hongkong Post Root CA certificate is not pre-installed in standard browsers. This means that you will have to load the Hongkong Post Root CA certificate into your browser yourself. You need this root certificate to validate a certificate issued by Hongkong Post CA.
The Hongkong Post CA Root certificates are available for downloading under the heading of "Download".
If you lose your Hongkong Post e-Cert certificate, you must revoke your certificate immediately. In case you have accidentally deleted your certificate, you simply need to import the certificate from your back-up copy. If you do not have a back-up copy, you must submit a new application.
If you lose your certificate, and you do not have a back-up copy, you will lose access to all your old encrypted messages (as you will not have your private key which you need to decrypt these messages). It is absolutely essential, therefore, that you make a back-up copy of your certificate.
Currently very few common browsers are capable of recognising multiple e-mail addresses on a single certificate. Therefore, Hongkong Post CA is adopting a policy of one e-mail address per certificate.
Details of authentication procedures are available from the Hongkong Post Certification Practice Statement at www.hongkongpost.gov.hk.
It is the vision of Hongkong Post to groom the younger generation to participate in secure electronic transactions and communications. If a certificate holder is a minor at the time of submitting his/her application, it will be shown on the certificate as "Hongkong Post e-Cert (Personal/Minor)". Relying parties are reminded that minors are not legallycapable of entering into contracts, and any such dealings may be declared null and void in the future.
Absolutely. Like other types of e-Cert, the e-Cert (Encipherment) Certificate will also be posted to the directory for public searching.
The Subscriber Agreement and the Certification Practice Statement, which can be obtained at any Post Office counter, show all details of the terms and conditions governing the use of Hongkong Post e-Cert certificates . The Certification Practice Statement can also be viewed at Hongkong Post CA web site at www.hongkongpost.gov.hk.
You have to specify the directory entry of Hongkong Post e-Cert Directory with more Distinguished Name (DN) information in the search field. An example of it is by entering "OU=0000920170,O=Hongkong Post e-Cert (Personal),C=HK" in the search root field to limit the search to e-Cert (Personal) and SRN=0000920170. For details, you may refer to the user guide of setting search field for the directory entry of Hongkong Post e-Cert Directory.
e-Cert is a digital certificate that offers a safe and secure way to conduct online transactions. In processing an e-Cert application, Hongkong Post is required to verify the identity of the applicant. As a procedural safeguard in the interest of the applicant, it is necessary for the applicant to visit a post office to complete the face-to-face identity verification process and delivery of the PIN envelope before an e-Cert can be issued.
Yes. All post offices will stay open during lunch hours. As for the General Post Office at Central and the Tsim Sha Tsui Post Office, public services are available on Saturday afternoon and on Sundays from 9:00 a.m. to 2:00 p.m. The opening hours of the post offices can be found at Hongkong Post's web site http://www.hongkongpost.gov.hk/product/e-Cert/office/index.html.
He/she can call the e-Cert Hotline at 2921 6633.
Hongkong Post always place emphasis on the security aspects of e-Cert. Delivering e-Cert storage medium by post is to save the applicants from making an additional visit to post office to collect the e-Cert storage medium. As a security measure, the delivery of e-Cert storage medium is made by recorded delivery which requires the applicant to sign for the receipt of the e-Cert storage medium. Furthermore, the use of an e-Cert requires a PIN, which is given to the applicant at the time of application.
e-Cert can be used on the Windows operating system. The use of e-Cert on Linux and Mac operating systems will require installation of additional software plug-ins. You may contact the respective vendors of the Linux and Mac system for the details of the software plug-ins.
e-Cert (Organisational Role) is similar to e-Cert (Organisational) that it is for use by an employee or a member of the Subscriber Organisation. e-Cert (Organisational Role) carries additional features that the e-Cert can include the "role" which can be the "title" or "position" of the Authorised User in the Subscriber Organisation, and the e-Cert is intended for use in systems designated by the Subscriber Organisation only. For other features, please refer to the Appendix D of the CPS for e-Cert (Organisational Role).
e-Cert (Organisational Role) certificate can be used for digital signature and encryption in PKI applications of the Subscriber Organisation. In addition, e-Cert (Organisational Role) can only be used in system(s) designated by the Subscriber Organisation. Organisations interested in the use of e-Cert (Organisational Role) may contact us at 2921 6633 or email to email@example.com for further discussion.
The main difference in application procedure is that the offer of e-Cert (Organisational Role) certificates requires prior arrangement between Hongkong Post CA and the Subscriber Organisation, whereas the application for e-Cert (Organisational) is on the Subscriber Organisation’s own discretion.
e-Cert (Organisational Role) certificate is issued to the Subscriber Organisation and for the designated application in respect of the Subscriber Organisation of the certificate. Thus, a prior arrangement is required for the Subscriber Organisation’s specific requirements.
D. Submission of Certificate Signing Request (CSR) for e-Cert (Server)
A Certificate Signing Request (CSR) is a request generated by your server which contains the information of your organisation and your public key. The Hongkong Post CA will generate your e-Cert (Server) based on your CSR.
You may refer to the User Guides for e-Cert (Server) Applicant for the procedures on how to generate a base64 encoded PKCS#10 CSR. Please make sure that the correct domain name (e.g. www.example.com) is entered in the "Common Name" field and "HK" in the "Country" field.
You should paste the entire content of the CSR including the lines "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----" into the Certificate Signing Request (CSR) text box.
You can download your e-Cert (Server) from the Search and Download Certificate web page after a successful CSR submission process.
E. Central Key Generation Service for e-Cert
Hongkong Post generates the key pair (including the Private key and Public Key) of an e-Cert on behalf of the Subscriber and creates the e-Cert. The key generation and e-Cert creation process are performed in a trustworthy manner and environment within Hongkong Post's premises to ensure that the key pair and e-Cert are not tampered with. The generated key pair and e-Cert will be protected by a PIN and stored as an e-Cert file in an e-Cert storage medium. The e-Cert storage medium will be delivered to the Subscriber by registered mail. The Subscriber is required to open the e-Cert file by the PIN distributed to the Subscriber separately.
The Central Key Generation Service is applicable to e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) certificates. Subscribers who opt for this service should make the request and specify the collection/delivery arrangement at the time of application.
The private key created under the Central Key Generation Service is stored in an encrypted form. Upon completion of delivery of e-Cert and the private key to subscriber, the private key will be purged from Hongkong Post system.
The following are some common Internet browsers that are known to work with the e-Cert file generated under the Central Key Generation Service:
- Microsoft Internet Explorer 5.01 with 128-bit High Encryption Pack
- Microsoft Internet Explorer 5.5 or above
- Mozilla Firefox 2.0 or above
- Netscape Navigator 4.08 / Communicator 4.5 - 4.8
- Netscape Navigator 7.0 or above
For a quicker and easier way in changing the password of the e-Cert file, a "Change Password Program" is available for downloading from Hongkong Post CA web site. After downloading and simple installation, the program can then be ready for use.
The "Change Password Program" software is designed for use by the Subscribers of Hongkong Post e-Cert in changing the password of the e-Cert file that is created and saved on a floppy disk or other storage media. It can only work in Microsoft Windows XP / Vista / 7 / 8 platform.
The "Change Password Program" is a window-based software. It can facilitate the Subscriber to change the password of the e-Cert file easily. If successful, the e-Cert file in the floppy disk / other storage device will embed with the new password.
F. Technical Issues
The minimum system requirements are:
- Pentium 133 or above (or compatible) with 32 MB RAM
- Windows 95, Windows 98 or Windows NT
- Netscape Navigator 4.08 / Communicator 4.5 (or above) or Microsoft Internet Explorer 5.01 with 128 bit high encryption (or above)
- Hard disk free space : 100 MB
For Netscape Users:
- Open your Netscape browser;
- Click on the security icon (the one that looks like a padlock) from the main toolbar;
- Select Certificates > Yours from the menu on the left. Verify that your new e-Cert is listed in the personal certificates display.
- To view your e-Cert particulars, select it (e-Cert) and then click the 'view' button.
You must type the PIN correctly, making sure that:
- the PIN includes all 16 digits,
- there are no spaces before, after, or within the PIN
If the problem persists, please contact the Hongkong Post CA Enquiry Hotline at 2921 6633.
This could happen because the system time of your PC is slower than that of our CA system. Our CA system uses the Global Position System (GPS) clock to stamp the certificate. To avoid this, all you need do is to wait for a while or correct your system clock.
If you have removed your old copy of Netscape Navigator, you have also deleted the file that contains the private key associated with your e-Cert. Without that private key or a back-up copy, you cannot reinstall your e-Cert. You need to apply for a new one. Upgrading Navigator by using the Netscape installer preserves your personal information, including your e-Cert and private key.
Upon accessing a server secured with a Hongkong Post e-Cert (Server) certificate, the user will see a padlock at the bottom of his or her Internet Explorer browser or on the main toolbar of the Netscape browser. Clicking on the padlock will cause the details of the server's certificate to be displayed.
Firstly, when you hear people speak of a 128-bit or 40-bit connection, they are referring to the "session key". This is a symmetric key created by the browser when it connects to the server that is used to encrypt AND decrypt data (transmitted to and from the server) after the initial browser/server "handshake". If your server supports full-strength sessions and the browser connecting to your site supports 128 bits, then a 128-bit session key will be created and used. Browsers that have been exported from the United States are limited to creating 40-bit session keys. Browsers that have been distributed within the US or manufactured by companies outside the US can create 128-bit session keys and thus connect to similarly manufactured and distributed servers in full-strength crypto. Outside the US, certain financial institutions and governmental organisations can apply for a Global Server Certificate, sometimes referred to as a "Step-up Server Certificate". Having one of these certificates installed on a server will guarantee a 128-bit connection with any browser, regardless of whether it is an "export" or "domestic" version.
Please be careful when choosing your domain name. You cannot change this information after the certificate is issued. The domain name should be the exact server name where the certificate will be installed. When a browser connects to your server, it will match the domain name to that on the certificate. If the names do not match, the browser will return an authentication error.
The "Key Usage" extension field specifies the usage of the key pair. For e-Cert (Encipherment), only the "Key Encipherment" bit and "Digital Signature" bit are set.
e-Cert (Encipherment) certificates are to be used only:
- to send encrypted electronic messages to the Subscriber Organisation;
- to permit the Subscriber Organisation to decrypt messages; and
- to permit the Subscriber Organisation to acknowledge receipt of the encrypted message by sending an acknowledgement with a digital signature added to it to confirm the identity of the receiving Subscriber Organisation.
Further, digital signatures generated by this class of certificate are only to be used to acknowledge the receipt of electronic messages in transactions which are not related to or connected with the payment of money on-line or the making of any investment on-line or the conferring on-line of any financial benefit on any person or persons or entities of whatsoever nature and under no circumstances are digital signatures generated by these certificates to be used to acknowledge the receipt of messages sent in connection with the negotiation or conclusion of a contract or any legally binding agreement.
The Crypto Tools (the Software) previously provided by the former i-Security Solutions Limited (the Company) has become unavailable for sales and/or distribution after the Company closed down in 2003. If you are using the Software for signing and encrypting documents with Hongkong Post e-Cert, you should note that Hongkong Post shall not accept any claims or liabilities whatsoever arising from the use or distribution of the Software.
G. Revocation of Certificates
A subscriber may submit a request to revoke her/his certificate at any time for any reason.Revocation requests can be made by the following methods:
- Sending a certificate revocation request by fax to 2775 9130 and the original of the revocation request by post.
- Sending a certificate revocation request by letter to Hongkong Post CA, PO Box 68777, Kowloon East Post Office.
- Sending a digitally signed e-mail to firstname.lastname@example.org
- Showing a revocation request in person at any post office with the same signature as on the original application form.
and revocations of certificates will be effective
only after they have been published in the Certificate
Revocation List (CRL).
Personal Certificate Revocation Request
A personal certificate can only be revoked by the subscriber of that certificate.
Organisational Certificate Revocation Request
can be revoked by :
- A person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application, or;
- The person whose name appears on the certificate as the subscriber of that certificate.
Server e-Cert Revocation Request
A server certificate can be revoked by a person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application.
Encipherment e-Cert Revocation Request
An encipherment certificate can be revoked by a person nominated as an Authorised Representative for the organisation, whose signature appears on the application form as the authorised signature at the time of application.
Acknowledgement to the Subscriber/Authorised Representative
Based on a request by fax, Hongkong Post will place a "Hold" on the certificate, which effectively suspends, but does not revoke the certificate. The subscriber then has to send his/her original of the revocation request to Hongkong Post to complete the revocation process. In-person or digitally signed requests will be processed directly as immediate revocations without the "Hold" procedure. Hongkong Post will endeavour to issue a Notice of Revocation to such subscribers within one week following the request for revocation.
Business Hours for Processing Revocation Requests
Monday to Friday 9:00 a.m. to 5:00 p.m.
Saturday 9:00 a.m. to 12:00 noon
Sundays & Public Holidays 9:00 a.m. to 12:00 noon
On any weekday on which a tropical cyclone warning signal no. 8 (or above) or a black rainstorm warning signal is hoisted, Hongkong Post Certificate Authority will open at the usual time if the signal is lowered at or before 6 a.m. that day. If the signal is lowered between 6 a.m. and 10 a.m. or at 10 a.m., Hongkong Post Certificate Authority will open at 2:00 p.m. on any weekday, other than on a Saturday, Sunday and public holiday.
Service Pledge and Certificate Revocation List Update
- Hongkong Post will exercise reasonable endeavours to see that within 2 working days of (1) Hongkong Post receiving a revocation request from the Subscriber or (2) In the absence of such a request, the decision by Hongkong Post to suspend or revoke the certificate, the suspension or revocation is posted to the Certification Revocation List.
- However, a Certificate Revocation List is not published in the directory for access by the public following each certificate revocation. Only when the next Certificate Revocation List is updated and published will it reflect the revoked status of the certificate. [Certification Revocation Lists are published daily and are archived for 7 years.]
For the avoidance of doubt, all Saturdays, Sundays, public holidays and for all weekdays on which a tropical cycle and rainstorm warning signal is hoisted, are not working days.
We strongly recommend that you revoke (cancel) your certificate if you suspect that your private key has been compromised, or you no longer wish to participate in the Hongkong Post Public Key Infrastructure.
You can verify the status of your revoked Hongkong Post e-Cert certificate by pulling down the entire Hongkong Post CA Certification Revocation List (CRL) from the directory server at ldap.hongkongpost.gov.hk, which is updated everyday. The CRL on the directory server can only be read by using the LDAP protocol and you need a client software with LDAP capability, for example, the Crypto Tools bundled in the e-Cert Customer Kit. Alternatively, you can go to our web site and access the CRL at the following URL : http://crl1.hongkongpost.gov.hk/crl/eCertCA1-10CRL1.crl. For users of Microsoft Windows with Internet Explorer 5.0 or above, when your open the CRL file, there will be a CRL pop up screen showing the list of revoked certificates in certificate serialnumber order. You may then locate the certificate by the certificate serial number. Please note that the revocation status of expired certificates will not be published in CRL.
H. Deletion and Recovery issues
A hard drive crash may delete the certificate in your computer. Once it has been lost, there is no way to retrieve it. You will first need to revoke your certificate, then enrol for a new one. You may also restore your back-up copy and import this copy into your browser.
As your digital certificate is protected by a password, it is unlikely that anyone else will be able to use it to impersonate you. However, we strongly advise you to revoke your certificate immediately if your computer has been stolen and then enrol for a new one.
You should not delete your expired or revoked e-Cert. By deleting a certificate, you will no longer have access to the public key associated with it and it will therefore no longer be possible to read encrypted messages with it.
I. Back-up and transfer of certificate
Each browser has its own back-up procedures. For Netscape Users :
- Click on the security icon (the one that resembles a padlock) from the main toolbar,
- Select Certificates > Yours from the menu on the left,
- Select the e-Cert you intend to save and click Export,
- You will be prompted to choose a transport password which you will be asked for when importing or opening this copy of your e-Cert. Click OK,
- Select a location (such as your floppy disk) and file name in which to save your e-Cert. Click Save,
- Protect your floppy disk or other media and your transport password in a secure manner.
- In your Internet Explorer browser, Click Tools from the pull-down menu and select Internet Options.
- In the Internet Options window, click on the tab Content and select Certificates.
- Select the Personal tab and click on the certificate to be exported. Then click on Export button.
- The Certificate Manager Export Wizard pops up. Read the information provided therein and click on Next button.
- Now you have to indicate if you want to export the private Key with your certificate. Select Yes, export the private key and click the Next button.
- Check the option Include all certificates in the certification path if possible.
- Uncheck the option Enable strong protection (requires IE 5.0, NT 5.0 or above) if you will use the exporting file on applications other than IE 5.0 or above.
- Click the Next button.
- Type in a password no less than 8-character length (you may select a new password if you wish) to protect the .PFX file. Then click Next
- You must now decide where to save the .PFX file. Locate and choose a directory for this file. Type a friendly name in the File name box. Click Next.
- In the popup, Export Wizard Window, Click Finish.
- Export is complete and click OK button.
The first step for transferring your e-Cert is to save ("Export") it from the computer's hard drive onto a floppy disk or other transfer medium. When your e-Cert has been successfully exported, you can then import it into the new computer. To import your e-Cert into Netscape Navigator :
- Click on the security icon (the one that looks like a padlock) from the main toolbar,
- Select Certificates > Yours from the menu on the left,
- Select Import,
- You will then be prompted to give the password you will use to protect your e-Cert,
- Locate your e-Cert from the floppy disk or other medium used to back up your e-Cert (it should have a .p12 extension). Highlight it and click Open,
- Enter your transport password and click OK.
To import your e-Cert into Internet Explorer :
- In your Internet Explorer browser, Click Tools in the pull down menu and select Internet Options.
- In the Internet Options window that pops up, click on the tab Content and select Certificates.
- Select the Personal tab and Click on Import button.
- The Certificate Manager Import Wizard pops up. Read the information provided therein and click on Next button.
- You have to select the file to be imported. Click on Browse button and select the location and filename to be imported. If you are importing PKCS#12 certificate file produced by e-Cert Central Key Generation, or exported from other applications which use .P12 file extension, you need to click the Browse button, change the Files of type to All Files (*.*) in the Open window and then select the required .P12 file.
- Click Next button. The system will then prompt you to enter the password. The password used while exporting the file has to be used here. Check on box Enable strong private key protection. If you want to export the certificate sometime in the future, check on box Mark the private key as exportable as well.
- Key in the password and click Next button.
- Selecting a store for the Certificate : Select the first option for the system to Automatically select the certificate store based on the type of certificate. Click on the Next button.
- The Certificate Manager Import Wizard finishing screen appears. Click on the Finish button. The Private Key Container screen will appear. Microsoft Internet Explorer stores your key pair and e-Cert Certificate details in the Private Key Container. Hence in the following steps, you are required to choose the security level and provide a profile/username and password to be stored for identification and access permissions.
- Click Set Security Level button.
- Select High security level (default set to medium). Click Next button.
- The Private Key Container window now seeks a password to protect the key pair.
- If any
profiles are created earlier, you may select
the option Use this password to access this item and select the appropriate profile from the dropdown list.
If you are using a newly installed Microsoft Internet Explorer or if you have not created any profile before, select the option Create a new password for this item and key in a name and password for the new profile.
- Click Finish button.
- Key in the Private Key Container password again and click OK button.
- If the PKCS#12 file contains the Root CA certificate, a pop-up window will be displayed to re-confirm the storing of the Hongkong Post Root CA certificate in the Root Store of Internet Exporer. Click Yes to continue. This window will not pop up if the root CA certificate has already been installed in the browser.
- Click on OK button and close the Certificate Manager wizard and the Internet Options windows.
Note: Please make sure that you have successfully imported the certificate to the new machine before deleting the old certificate and the transient file.
J. e-Cert for Smart ID Card / Smart Card Reader
The Smart Card Reader should be able to support the following features in order to support the usage of Smart ID Card:
|Smart Card Interface Standard||ISO7816|
|Software Bundled||PC/SC Driver|
|Type of card contact||Landing
|Landing contact type is desired in view of the protection it can provide to the Smart ID Card which is expected to last for at least 10 years.|
|Software interface standard||Europay,
Mastercard and Visa (EMV)
|EMV is desired in consideration of its capability for supporting potential electronic payment applications.|
For more details on Smart Card reader, please visit the web site at http://www.ogcio.gov.hk/en/strategies/initiatives/smart_id/smart_id_card_reader_spec.htm.
You may order a compatible Smart Card Reader from Hongkong Post's online shop "ShopThruPost".
You may follow the Installation Guide provided by the Smart Card Reader vendor for details. The Installation Guide is normally attached to the box set of the Smart Card Reader upon purchase.
To prevent damage to the Smart ID Card, Smart Card Reader of landing contact type (下落接觸式) is suggested in view of the protection it can provide to the Smart ID Card which is expected to last for 10 years.
It depends on the reader you have purchased. However, your PC must have a communication interface such as a serial port, a USB port or a PCMCIA slot (which depends on the reader purchased) to connect with the reader.
As long as your e-Cert on the Smart ID Card can be accessed by keying in your e-Cert PIN, scratches on the surface of the chip should not affect your e-Cert on the ID card.If scratches appear on the chip of your Smart ID Card and you cannot access the data and e-Cert stored on your Smart ID Card, your card chip may be damaged and you may apply for a replacement through the Immigration Department.
You should report loss of your smart ID card to the Immigration Department at one of its Registration of Persons Offices. You may also submit request to Hongkong Post Certification Authority to revoke your e-Cert. After your collection of a new smart ID card from the Immigration Department, you may apply for a new e-Cert at any of the 7 designated Post Offices , and have your e-Cert embedded in your smart ID card.
Each smart ID card can store one active e-Cert with its corresponding key pair. Whenever you load a new e-Cert to your smart ID card, the existing e-Cert on the ID card will be replaced while its corresponding private key may continue to reside on the card. Each smart ID card can store three old private keys while the corresponding e-Cert(s) may be stored in your computer or a floppy disk.
When you apply for embedding your e-Cert onto your smart ID card, your e-Cert will also be loaded into your selected e-Cert storage medium as specified in your e-Cert application. If you have accidentally deleted your e-Cert from smart ID card, you may re-load your e-Cert from the e-Cert storage medium to your smart ID card.
You may check the information of your e-Cert at public computers with Smart Card Readers installed.
The e-Cert (Personal) on Smart ID Card has a lifespan of 3 years and its subscription period is one year. Subscriber has to pay subscription fee annually to extend the subscription period. Before the expiry of the 3 years validity period, the subscriber has to apply for renewal of the e-Cert and pay the annual subscription fee to obtain a new e-Cert (Personal) for continual use.
Each Smart ID Card can store one valid e-Cert with its corresponding key pair and 3 archived private keys of your expired e-Cert(s). You may use the archived private keys to decrypt the emails encrypted with your expired e-Certs.
If you delete the e-Cert on your Smart ID Card, the corresponding private key will also be deleted. You can do so on your own by using your Smart Card Reader together with the e-Cert Control Manager software. Please note that you will not be able to recover the e-Cert and private keys deleted from your smart ID card.
The PIN Envelope contains 2 e-Cert PINs each with different number of digits. The 8-digit PIN allows you to access the e-Cert on your Smart ID Card while the 16-digit PIN enables you to access the e-Cert stored in the e-Cert storage medium, such as floppy disk, e-Cert File Card or e-Cert File USB.
Please send us a written request for resetting the PIN of e-Cert on Smart ID Card and download the application form. The completed form could be submitted by fax at 2775 9130, or mail to "Kowloon East Post Office P.O. Box 68777". After verification of the request, Hongkong Post will send you a new PIN envelope and arrange to reset your e-Cert PIN at a designated post office.
If you decide not to revoke your e-Cert, you should change the e-Cert PIN on your smart ID card and/or the e-Cert in e-Cert storage medium immediately. If you lost your Smart ID card and/or e-Cert storage medium together with your e-Cert PIN, you should request Hongkong Post to revoke your e-Cert immediately (see Question 22 for the revocation procedures) in order to protect your own interest.
For security reasons, the e-Cert embedded on smart ID card cannot be copied to other storage medium for backup purpose. The cardholder will not be able to recover the e-Cert including the private key in case the card is lost or damaged. As such, the e-Cert will be stored in the selected e-Cert storage medium, such as floppy disk, e-Cert File Card or e-Cert File USB, as specified in the e-Cert application. The cardholder can continue to use his e-Cert stored in his e-Cert storage medium in case the card is lost or damaged.
J-18 If I have a Hongkong Post e-Cert stored in e-Cert storage medium and I have not applied for embedding an e-Cert onto the smart ID card, can I have my existing e-Cert embedded onto my smart ID card?
If you have not applied for embedding an e-Cert onto the smart ID card, e-Cert stored in e-Cert storage medium cannot be embedding onto the smart ID card. You may apply for a new e-Cert to be embedded onto your smart ID card.
You should request HKPost to revoke your e-Cert if you wish to terminate the validity of your e-Cert when :-
- someone else is suspected to have possessed both your Smart ID Card and your e-Cert PIN;
- someone else is suspected to have possessed both your e-Cert storage medium and your e-Cert PIN;
- Your smart ID card and/or e-Cert storage medium is lost.
Once revoked, the e-Cert cannot be resumed. You have to apply for a new e-Cert for usage.
Hongkong Post will not charge you extra cost for e-Cert revocation service.
You can request revocation of your e-Cert by one of the following means:-
- Submit an on-line e-Cert Revocation Form.
- Submit an e-Cert Revocation Form by fax to HKPost at 2775 9130
- Submit an e-Cert Revocation Form by mail to :- Kowloon East Post Office Box 68777.
- Submit an e-Cert Revocation Form at the HKPost Drop Box located at Immigration Department's Registration of Persons Offices where you report loss of your ID card.
You should keep your smart ID card in safe custody and not to disclose the e-Cert PIN (Personal Identification Number) to other persons. In case you lose your ID card but your e-Cert PIN is not known to anyone other than yourself, others should not be able to access your e-Cert even they hold your smart ID card.
No, you cannot access the e-Cert and private key stored on others' smart ID cards without the respective e-Cert PIN.
e-Cert Control Manager Add-on Pack provides an enhanced PKCS#11 module for interfacing with e-Cert on Smart ID Card. As some of the e-Cert applications may use this enhanced PKCS#11 module, you can enjoy more e-Cert applications by installing e-Cert Control Manager with Add-on Pack.
If the e-Cert Control Manager Add-on Pack is not yet installed (see Question 27 for checking the installation of e-Cert Control Manager Add-on Pack), you may consider downloading and installing the current version of e-Cert Control Manger for your operating system. The e-Cert Control Manger Add-on Pack is included in the current version of e-Cert Control Manager installation program.
e-Cert Control Manager Add-on Pack is included in the e-Cert Control Manager installation program. You may download and run the e-Cert Control Manager installation program to install both e-Cert Control Manager and Add-on Pack.
e-Cert Control Manager Add-on Pack is installed by default in the latest version of e-Cert Control Manager and previous versions from version 2.1.8 Build 6 or above.
For previous version 2.1.6 Build 18, if e-Cert Control Manager Add-on Pack is installed, you can access the Add-on Pack Readme through the "Start > Programs > Hongkong Post e-Cert > Add-on Pack 1 Readme" shortcut. Alternatively, you can find e-Cert Control Manager Add-on Pack in the "Control Panel > Add/Remove Programs" installed program list.
In case you do not know the version of e-Cert Control Manager you are using, please read the tips on checking version of e-Cert Control Manager.
Due to the change in Netscape Navigator architecture starting from version 9, the browser is no longer compatible with e-Cert Control Manager. Therefore, e-Cert Control Manager has ceased to support Netscape Navigator version 9 or above. Alternatively, you may wish to use Mozilla Firefox. For details, please refer to the User Guides for Mozilla Firefox.
For certain online services that have system requirement of using Java Runtime Environment (JRE), there is a known interface problem between JRE (prior to JRE 6 Update 10) and Internet Explorer 7 on Windows Vista platform that may affect the access of e-Cert on Smart ID Card through the e-Cert Control Manager. To use those online services, you need to have JRE 6 Update 10 or above installed. If you encounter problems in using e-Cert on Smart ID Card in these particular online services, you may wish to contact the respective service providers for details.
Please contact our Customer Services Hotline at 2921 6633 and provide the error messages.
After the Sub CA rollover, subscribers using e-Cert (Personal) issued by the new Sub CA "Hongkong Post e-Cert CA 1 - 10" have to install or upgrade the version of e-Cert Control Manager to version 2.1.8 Build 7 or above in order to continue using their e-Cert on Smart ID Card.
Under a 64-bit Windows environment, the installation path of e-Cert Control Manager will be, by default, put under the Windows' default folder "C:\Program Files (x86)". For certain online services or application programs that have system requirement of using Java, it is found that Java may have problem calling e-Cert Control Manager if the path name of the program library of e-Cert Control Manager contains special characters, such as "( )" [brackets]. To get around the problem, you can uninstall the e-Cert Control Manager and then install it again under an installation path without special characters.
Please refer to the Supported Applications for e-Cert Control Manager.
Internet Explorer in the Windows UI does not support plug-ins. Internet Explorer in the Windows UI cannot access e-Cert on Smart ID Card through the e-Cert Control Manager in certain online services. To use e-Cert on Smart ID Card in online services, please use Internet Explorer for the desktop which can support plug-ins.
To use Internet Explorer for the desktop, you can select from "Page tools", then select "View on the desktop" from the Internet Explorer in the Windows UI.
K. Renewal of e-Cert (Personal)
When the subscriber has not provided his/her e-mail address to Hongkong Post Certification Authority (HKPost CA) or changed it without notifying HKPost CA, HKPost CA is not able to issue the notice through e-mail. If subscribers wish to check whether his/her e-Cert is due for renewal, they can call our customer service hotline at 29216633, or send us an e-mail to email@example.com or visit any one of the 7 designated post offices.
"Extension of Subscription Period" – The e-Cert (Personal) is physically valid for three years and its subscription period is one year. Upon the expiry of the subscription period, subscribers need to pay HK$50 per certificate per year to extend the subscription period. If not, Hongkong Post will inactivate their e-Cert by suspension or revocation. According to the Electronic Transactions Ordinance, the inactivated certificates will be included in the Certificate Revocation List (CRL) published on Hongkong Post web site. After the subscribers extended the subscription period, they can continue to use the existing e-Cert, and they will not be issued any new e-Cert storage medium or new PIN envelopes.
"Renewal" – The e-Cert (Personal) is physically valid for three years. Upon the expiry of the three years validity period, subscribers need to renew their e-Cert and pay HK$50 for the first year subscription fee. A new PIN envelope and the renewed e-Cert in an e-Cert storage medium selected by the subscriber will be issued to the subscriber.
Subscribers can either submit renewal application online or by visiting post offices. However, the renewal methods will vary according to actual needs of different subscribers. For details, you may refer to Renewal of e-Cert.
The renewed e-Cert (Personal) is physically valid for three years and its subscription period is one year. Subscriber has to pay the subscription fee and e-Cert storage medium cost, if any. The prevailing fee and cost can be referred to Hongkong Post web site.
No. Subscription fees are charged on a yearly basis upon the expiry of each subscription period.
A new set of PIN envelope will be issued to the subscribers upon renewal of certificate.
Subscribers should keep the old PIN envelope and the old e-Cert storage medium in order to use the old e-Cert. The new PIN envelope will be applicable to the renewed e-Cert stored in the new e-Cert storage medium and the subscriber’s Smart ID Card if the subscriber has embedded the renewed e-Cert in his Smart ID Card at designated post office.
Subscribers can choose whether or not to embed the renewed e-Cert onto the Smart ID Card.
Each Smart ID Card can store one e-Cert only. If subscribers choose to embed the renewed e-Cert in the Smart ID Card, the existing e-Cert on Smart ID Card will be replaced by the renewed one, with the pair of keys remained at the Smart ID Card.
Yes. For details, please refer to the user guide on "How to load e-Cert to Smart ID Card?".
L. E-CERT FILE CARD
e-Cert File Card is a contact smart card which is a storage medium for Hongkong Post e-Cert. It has the same size as a credit card. As compared with the floppy diskette, e-Cert File Card is more durable and smaller in size.
Both e-Cert File Card and floppy diskette are storage media of e-Cert. Floppy diskette requires floppy diskette drive to access the e-Cert while e-Cert File Card requires a compatible smart card reader. e-Cert File Card has greater durability and smaller in size as compared to floppy diskette. For the e-Cert File Card, customer cannot write /update any files to it. However, floppy diskette allows customer to add more files to the diskette without any restriction.
e-Cert File Card is just a storage medium for Hongkong Post e-Cert. Customer can export their e-Cert on the e-Cert File Cards to other storage media. For security reason, customers are recommended to keep their e-Cert File Cards in a safe place after use. For Smart ID Card, customer can directly use the embedded e-Cert to perform online transactions but the Private Key of the e-Cert on the Smart ID Card cannot be exported to other media.
Smart card is an advanced and reliable technology mostly used in the commercial sector such as credit card, security access control, Smart ID Card, etc. The three major benefits of e-Cert File Card are:
- e-Cert File Card is less susceptible to data loss from environmental factor and human error.
- e-Cert File Card resembles a credit card in size and shape.
- e-Cert File Card is durable and has a longer life span.
No. The e-Cert subscription fee has already included the cost of e-Cert File Card as a storage medium for e-Cert. Therefore, no additional charge is required for e-Cert File Card.
Both Smart ID Card and e-Cert File Card require a password to use the private key of the e-Cert. For e-Cert File Card, the private key and public key can be exported to other storage medium while for Smart ID Card, the private key cannot be exported to other storage medium.
You are required to export the e-Cert from the e-Cert File Card to your selected storage medium (such as USB storage device, or other removable storage media) by using an e-Cert File Card Utility Program and have a compatible smart card reader installed on your computer. You may buy a compatible smart card reader at Hongkong Post online shop "ShopThruPost". To learn how to export your e-Cert, you may simply refer to the user guide of the e-Cert File Card Utility Program.
Yes. The e-Cert File Card Utility program enables you to change the password of your e-Cert on the e-Cert File Card. You may simply download e-Cert File Card Utility program from our website to change your e-Cert password with our step-by-step user guide. Please note that only the e-Cert password on your e-Cert File Card has been changed. If you wish to change the e-Cert password on other storage media, (such as USB storage device, or other removable storage media) you may download and use the Change Password Program from our website. For details, please refer to the user guide of the Change Password Program.
If your Smart ID Card has been embedded with an e-Cert before, you can follow through the steps below to load your e-Cert on e-Cert File Card to the Smart ID Card.
- Download and install the e-Cert File Card Utility Program from our website to export your e-Cert on e-Cert File Card to a storage media (such as USB storage device, or other removable storage media).
- Upon completion, you can download and install the e-Cert Control Manager to load your e-Cert to the Smart ID Card. You may simply refer to the user guide of the e-Cert Control Manager for the detailed procedures.
Should you encounter any technical problem, please feel free to contact our Customer Services Hotline at 2921 6633.
No, you cannot delete/add any files to the e-Cert File Card.
No, you cannot delete/add any files to the e-Cert File Card.
You may submit a request to Hongkong Post Certification Authority to revoke your e-Cert, and then apply for a new e-Cert. You will need to pay for the subscription fee as prescribed on the application form.
Yes. You need to keep the e-Cert File Card in a safe place after exporting the e-Cert to another removable storage media. In case your removable storage medium is corrupted and can no longer be recovered, you can use your e-Cert File Card to export your e-Cert to the new removable storage medium.
In case you have forgotten your password, you are recommended to revoke your e-Cert immediately and apply for a new e-Cert. You will need to pay for the subscription fee as prescribed on the application form
e-Cert File Card Utility Program is a software for exporting your e-Cert from e-Cert File Card to storage media (such as USB storage device, or other removable storage media) and changing the password of your e-Cert on e-Cert File Card. The utility program can run on Windows XP or above.
You may refer to the Installation and User Guide of the e-Cert File Card Utility Program for detailed procedures at our website. Should you have any enquiry, please contact our Customer Services Hotline at 2921 6633.
You require a smart card reader and the e-Cert File Card Utility Program which runs on Windows XP or above.
You can use the same smart card reader for both e-Cert File Card and Smart ID Card. The smart card reader should support ISO 7816 smart card interface standard and software bundled with PC/SC driver. You may visit Hongkong Post online shop "ShopThruPost" to purchase a compatible card reader.
When you apply for a Hongkong Post e-Cert (except server certificate) and select e-Cert File Card as the storage medium for your e-Cert, you can get your e-Cert File Card accordingly.
No. Besides embedding your e-Cert onto Smart ID Card, you must choose only one storage medium of your e-Cert.
Hongkong Post Certification Authority has ceased to use floppy diskette as e-Cert storage medium with effect from 1 April 2013.
M. E-CERT FILE USB
e-Cert File USB is a credit card sized USB flash drive which is a storage medium for Hongkong Post e-Cert. The e-Cert stored in it can be easily read by common computers equipped with USB ports.
The major advantage of e-Cert File USB is that the e-Cert stored in it can be read directly by common computers equipped with USB ports without the need for installation of any driver or additional equipment, such as smart card reader or floppy disk drive.
Applicants applying for e-Cert can select e-Cert File USB as e-Cert storage medium at a unit cost of HK$40.
Hongkong Post Certification Authority has ceased to use floppy diskette as e-Cert storage medium with effect from 1 April 2013.
It is suggested that you may approach your information technology support team for their advice and assistance.
e-Cert File Card is a smart card which requires a smart card reader for accessing the e-Cert stored in it. e-Cert File USB is a general USB flash drive. The e-Cert stored in it can be read directly by common computers equipped with USB ports without the need for additional equipment.
N. E-CERT (SERVER)
Applicants may choose the e-Cert (Server) option according to their needs. The following are for reference:
- e-Cert (Server) with "Wildcard" feature: suitable to applicants in applying certificates for multiple server names under the same domain.
For example, an e-Cert (Server) with "Wildcard" feature issued to *.hongkongpost.gov.hk can be used for all of the following server names:
- e-Cert (Server) with "Multi-domain" feature: suitable to applicants in applying certificates for multiple server names under different domains.
For example, an e-Cert (Server) with "Multi-domain" feature may be used for all of the following server names:
- e-Cert (Server) without "Wildcard" feature or "Multi-domain" feature: each certificate identifies one server name only, suitable to applicants in applying certificates for only one or a few servers.
- e-Cert (Server) without "Wildcard" feature or "Multi-domain" feature: Only one server name is allowed, and the wildcard character ("*") is not allowed in any part of the server name.
- e-Cert (Server) with "Wildcard" feature: Only one server name is allowed, and the left-most component of the server name must be a wildcard character ("*").
- e-Cert (Server) with "Multi-domain" feature: Up to 50 server names can be specified, and the wildcard character ("*") is not allowed in any part of the server name(s).
Note: All server names must be owned by the Subscriber Organisation.
e-Cert (Server) with "Wildcard" feature and "Multi-domain" feature have the following advantages:
- e-Cert (Server) with "Wildcard" feature allows the certificate to be used for all server names at the same domain or sub-domain level owned by the Subscriber Organisation.
- e-Cert (Server) with "Multi-domain" feature allows the use of the certificate to identify up to 50 server names owned by the Subscriber Organisation. It also allows server names under different domain names owned by the Subscriber Organisation.
- Maximum validity period is 3 years. (The original e-Cert (Server) has maximum validity period of 2 years only.)
- The certificate includes "digital signature" Key Usage which can be used for server authentication and for establishment of secure communication channels with the server.
Therefore, if the Subscriber Organisation has many server names under the same or different domain names, using e-Cert (Server) with "Wildcard" feature or "Multi-domain" is more effective and flexible.
N-4 How to submit Certificate Signing Request (CSR) for e-Cert (Server) with "Wildcard" feature and "Multi-domain" feature? Is there any difference in the procedures compared with the procedures in submission of CSR for an e-Cert (Server)?
The procedures for submission of Certificate Signing Request (CSR) for e-Cert (Server) with "Wildcard" feature or "Multi-domain" feature are the same as submission of CSR for e-Cert (Server). You only need to submit one CSR for each applied e-Cert (Server) with "Multi-domain" feature or e-Cert (Server) with "Wildcard" feature regardless of the total number of 'Additional Server Name(s)' in the e-Cert (Server) with "Multi-domain" feature or the number of 'Additional Server(s)' in which the e-Cert (Server) with "Wildcard" feature to be installed. You only need to input the server name in the Subject Common Name of the CSR to be submitted, and it is not necessary to specify any 'Additional Server Name(s)'; in the CSR. The 'Additional Server Name(s)' applied in the application will be included in the certificate by the system automatically when the certificate is issued. For more details about submission of CSR, please refer to e-Cert (Server) User Guide
Only one certificate for each applied e-Cert (Server) with "Wildcard" feature or e-Cert (Server) with "Multi-domain" feature will be issued. Subscriber may copy the certificate for installation in the servers that have been applied in the application form.
No. An e-Cert (Server) certificate can only have either "Multi-domain" feature or "Wildcard" feature. If you need both of the features, then you have to apply for two e-Cert (Server) certificates for the relevant servers, one for "Multi-domain" feature and the other for "Wildcard" feature.
For e-Cert (Server) with "Wildcard" feature, you may search the certificate by specifying the server name with or without the wildcard component ("*"). For example, to search for the e-Cert (Server) with "Wildcard" feature issued to *.hongkongpost.gov.hk, you can search for *.hongkongpost.gov.hk or hongkongpost.gov.hk to get the certificate. For e-Cert (Server) with "Multi-domain" feature, you may search the certificate by specifying any one of the server name(s), including server name used as Subject Name or any additional server name(s) in the Subject Alternative Name, in the certificate to search and download the corresponding e-Cert (Server) with "Multi-domain" feature.
All e-Cert (Server) certificates do NOT accept any IP address as server name to be included in the certificates.
The subscription fee for an e-Cert (Server) with "Wildcard" feature already includes the subscription fee required for installing the certificate in one server (the default server). If the certificate is to be installed in any additional physical server or virtual machine that operates on a separate operating system from the default server, then each such physical server or virtual machine is chargeable.Example#1:
e-Cert (Server) with "Wildcard" feature installed in two servers - one server is active while the other server is for standby only. The total number of servers installed with e-Cert (Server) with "Wildcard" feature is two, and the number of 'Additional Server' is one.Example#2:
e-Cert (Server) with "Wildcard" feature installed in one physical server and two servers running on virtual machines, each running under a separate operating system. The total number of servers installed with e-Cert (Server) with "Wildcard" feature is three, and the number of 'Additional Servers' is two.
N-10 As the number of Additional Servers is specified in the application for e-Cert (Server) with "Wildcard" feature, what should be done if the number of Additional Servers changes after the certificate is issued?
If the number of Additional Servers increases and the certificate is still within the validity period, then the subscriber may fill in the application form to increase the number of Additional Servers and pay the subscription fee only for the number of Additional Servers increased. The subscription fee to be paid shall cover the whole validity of the certificate regardless of when the certificate is to be used in the Additional Servers. When the certificate is to be renewed, the subscriber should fill in the total number of Additional Servers and pay the subscription fee for certificate renewal as well as the relevant subscription fee for the total number of Additional Servers.
If the number of Additional Servers decreases, the subscriber can only change the number of Additional Servers during the certificate renewal and pay the subscription fee for certificate renewal as well as the relevant subscription fee for the updated number of Additional Servers.
Subscription fee paid for Additional Servers will not be refunded due to decrease of number of Additional Servers.
No. One and only one wildcard character ("*") is allowed in the server name of an e-Cert (Server) with "Wildcard" feature, and the wildcard character ("*") must be in the left-most component of the fully qualified domain name of the server name.
You may apply for an e-Cert (Server) with "Multi-domain" feature for one server name only (i.e. without additional server name) in which "digital signature" Key Usage is enabled.
No. All server names in an e-Cert (Server) with "Multi-domain" feature cannot be changed after the certificate is issued. Subscriber may consider applying for another e-Cert (Server) with relevant option for the changed server names.
Revocation of an e-Cert (Server) with "Multi-domain" feature can only be applied to all but not some of the server names contained in the certificate. Revocation of an e-Cert (Server) with "Multi-domain" feature will revoke the validity of all server names contained in the certificate.